[PHP] Simple Security Clarification
In another thread [How do you protect individual files], Justin French stated: In real short, you want to store the files outside your htdocs root (so they can't be served by http) . . . My PHP setup serves files from DOCUMENT_ROOT=/var/www/html. If I place files in '/var/www/html/secure' would this provide any isolation for file access? Am I correct in thinking that 'below' is not the same as 'outside' doc_root, and that i this case, no protection would be afforded? Tia, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple Security Clarification
Andre Doc root = http://www.yoursite.com/ '/var/www/html/secure' = http://www.yoursite.com/secure/ So its not secure You could use .htaccess files but I am not that clued up on them John - Original Message - From: Andre Dubuc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 1:11 PM Subject: [PHP] Simple Security Clarification In another thread [How do you protect individual files], Justin French stated: In real short, you want to store the files outside your htdocs root (so they can't be served by http) . . . My PHP setup serves files from DOCUMENT_ROOT=/var/www/html. If I place files in '/var/www/html/secure' would this provide any isolation for file access? Am I correct in thinking that 'below' is not the same as 'outside' doc_root, and that i this case, no protection would be afforded? Tia, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Simple Security Clarification
[snip] In another thread [How do you protect individual files], Justin French stated: In real short, you want to store the files outside your htdocs root (so they can't be served by http) . . . My PHP setup serves files from DOCUMENT_ROOT=/var/www/html. If I place files in '/var/www/html/secure' would this provide any isolation for file access? Am I correct in thinking that 'below' is not the same as 'outside' doc_root, and that i this case, no protection would be afforded? [/snip] Yes, and no. 'Secure' is below the root and is therfore less protected. However, you can still use .htaccess directives to control the 'secure' directory much more closely. The path could be hacked, but if there is a requirement to login to that folder (because of .htaccess directives) then the hacker will still have to come up with appropriate authentication. If the root is /var/www/html then outside of the root could be /var/www/secure so that the path cannot be hacked from the browser, but you should still apply appropriate restrictions. HTH! Jay *** * Texas PHP Developers Conf Spring 2003 * * T Bar M Resort Conference Center * * New Braunfels, Texas* * San Antonio Area PHP Developers Group * * Interested? Contact [EMAIL PROTECTED] * *** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple Security Clarification
Outside would be in '/var/www/secure' in your case. Or any other place your scripts have access to, save under '/var/www/html/'. HTH, Stas - Original Message - From: Andre Dubuc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 1:11 PM Subject: [PHP] Simple Security Clarification In another thread [How do you protect individual files], Justin French stated: In real short, you want to store the files outside your htdocs root (so they can't be served by http) . . . My PHP setup serves files from DOCUMENT_ROOT=/var/www/html. If I place files in '/var/www/html/secure' would this provide any isolation for file access? Am I correct in thinking that 'below' is not the same as 'outside' doc_root, and that i this case, no protection would be afforded? Tia, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple Security Clarification
If you can't store stuff ABOVE your doc root, you can protect them with a .htaccess file. I use this to refuse all *.inc files from being served: Files ~ \.inc$ Order Allow,Deny Deny from all /Files With this in mind, a quick visit to the Apache site should get you started in the right direction. Justin French on 21/08/02 10:11 PM, Andre Dubuc ([EMAIL PROTECTED]) wrote: In another thread [How do you protect individual files], Justin French stated: In real short, you want to store the files outside your htdocs root (so they can't be served by http) . . . My PHP setup serves files from DOCUMENT_ROOT=/var/www/html. If I place files in '/var/www/html/secure' would this provide any isolation for file access? Am I correct in thinking that 'below' is not the same as 'outside' doc_root, and that i this case, no protection would be afforded? Tia, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple Security Clarification
On Wednesday 21 August 2002 08:15 am, Jay Blanchard wrote: [snip] In another thread [How do you protect individual files], Justin French stated: In real short, you want to store the files outside your htdocs root (so they can't be served by http) . . . My PHP setup serves files from DOCUMENT_ROOT=/var/www/html. If I place files in '/var/www/html/secure' would this provide any isolation for file access? Am I correct in thinking that 'below' is not the same as 'outside' doc_root, and that i this case, no protection would be afforded? [/snip] Yes, and no. 'Secure' is below the root and is therfore less protected. However, you can still use .htaccess directives to control the 'secure' directory much more closely. The path could be hacked, but if there is a requirement to login to that folder (because of .htaccess directives) then the hacker will still have to come up with appropriate authentication. If the root is /var/www/html then outside of the root could be /var/www/secure so that the path cannot be hacked from the browser, but you should still apply appropriate restrictions. HTH! Jay Thanks Jay, It's becoming clearer. But one question concerning: the path could be hacked, but if there is a requirement to login to that folder (because of .htaccess directives) then the hacker will still have to come up with appropriate authentication. Since all sensitive files on my site require login (username/password) and each (https) page requires the appropriate $_SESSION variables before it'll load, I wonder whether I can leave things as they are (everything in the /html folder)? You mentioned that the path could be hacked -- if that's the case (even using .htaccess) would setting these sensitive files below the root make much difference? Tia, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Simple Security Clarification
[snip] It's becoming clearer. But one question concerning: the path could be hacked, but if there is a requirement to login to that folder (because of .htaccess directives) then the hacker will still have to come up with appropriate authentication. Since all sensitive files on my site require login (username/password) and each (https) page requires the appropriate $_SESSION variables before it'll load, I wonder whether I can leave things as they are (everything in the /html folder)? You mentioned that the path could be hacked -- if that's the case (even using .htaccess) would setting these sensitive files below the root make much difference? [/snip] I think that it is better to situate these sensitive files outside of the web root accessible with appropriate authentication and session ID. You can leave everything as is, and be reasonably assured of security. Me personally? I would take the extra step. That way you know that you have done all that you could possibly do. As I have said (and many others have said), If you don't want anyone to get a hold of the file, do not make it available from your web root. HTH! Jay *** * Texas PHP Developers Conf Spring 2003 * * T Bar M Resort Conference Center * * New Braunfels, Texas* * San Antonio Area PHP Developers Group * * Interested? Contact [EMAIL PROTECTED] * *** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
